Mastering Palo Alto Networks

Guided tour to the available functions inside the console interface. Retrieving information, performing troubleshooting steps, and maintenance tasks, from the console interface.

   •  Show commands to query information, not shown on the GUI

   •  Request to execute various administration commands

   •  Use test to perform fast troubleshoot steps

An overview on how we can effectively delegate and control access to a management interface. Also, shows how to provide management attributes to an interface and delegate custom rights to local administrators.

   •  Review the physical interface location

   •  Configure a management profile

   •  Configure an administrator role for management purposes

This video explains in detail how to take advantage in creating and applying address objects and groups to structure a clean and precise security policy table.

   •  Create an address object

   •  Create an address group

   •  Consolidate address objects into their respective groups

This has a detailed explanation on how to take advantage in applying service objects and groups on the firewall security policy table, and how it allows concise policy structure format and standardization.

   •  Create a service object

   •  Create a service object group

   •  Nest service object group to shrink the policy table

This section explains in detail how to profile the traffic by creating application objects and classify them in groups.

   •  Create an application object

   •  Create an application group

   •  Classify application objects in a group

Here we shall review Applipedia or the Application Research Center, to understand the Palo Alto network’s application objects database. Also, we shall review application object dependencies to properly configure application objects.

• Get familiar with applipedia.paloaltonetworks.com

• Review application objects dependencies

• Add required dependencies for specific application groups

This explains how to create local user accounts on the firewall, to enforce security policies, based on the local user database. Also, how to create local user groups to organize and enforce user group based policies.

   •  Create a local user account

   •  Create a local user group

   •  Add the local user on the local group and enforce security

It tells us how to integrate your Palo Alto firewall with LDAP, to enforce directory service-based user account security policies.

   •  Perform LDAP integration with service account

   •  Perform LDAP user group mapping

   •  Create security groups with LDAP security groups

We shall configure a source address translation that will allow internal users reach the outside zone (Internet).

   •  Create the source NAT policy

   •  Create the security policy to allow outbound access

   •  Enable the policy and test reachability to the internet, from internal user

This video provides mandatory security isolation, by classifying interfaces into their respective locations on the network.

   •  Identify your perimeter networks:  outside, inside, and DMZ

   •  Create individual security zones

   •  Add respective member interfaces on each zone

This video explains various options to provide end to end connectivity between your Palo Alto firewall and your core network infrastructure.

   •  Configure Layer 2 interfaces

   •  Configure Layer 3 interfaces

   •  Configure Tunnel, Loopback, and HA interfaces

This video explains how to allow the Palo Alto firewall to enforce traffic transparently, by bridging ingress and egress interfaces, and traffic in zones, without influencing the routing path decisions.

   •  Configure the physical interfaces in V-wire mode

   •  Create a V-wire and bridging the two interfaces that were previously configured

   •  Allocate each V-wire member interface in a security zone and creating a security policy

This gives us a real life work scenario introduction on how to build network security policies.

   •  Review the security rule requirements

   •  Create required objects

   •  Configure the required security policy

Applying security policies based on application and user attributes.

   •  Identify the user or application to grant/restrict traffic

   •  Create required application/user objects

   •  Configure the required security policy

This video will review our first virtual router deployment and enable traffic flow on the virtual instance.

   •  Create the virtual router (VRTR) for internet access

   •  Identify the user traffic that will be granted internet access

   •  Apply the route on the virtual router and enable access to the outside world

We shall see how to create a dedicated virtual router for server traffic and enable dynamic routing.

   •  Create the virtual router (VRTR) for server traffic access

   •  Configure OSPF as our dynamic routing protocol

   •  Advertise a network via OSPF, between the core and the firewall

Here, we shall configure a destination network address translation, that will allow external users reach a webserver on the DMZ.

   •  Create the destination NAT policy

   •  Create the security policy to allow inbound access

   •  Enable the NAT policy and test reachability from the user’s perspective

General overview of all the next generation features available on the Palo Alto firewall.

   •  Discuss each security profile

   •  Demonstrate use case scenarios

   •  Explore options available inside each security profile

Apply antivirus and anti-spyware profiles to protect the environment from common threats.

   •  Review default settings on each profile

   •  Create custom profiles

   •  Apply both default and custom profiles to each respective policy

Configure URL filtering and file blocking profiles to limit user access to restricted content on the web.

• Review default settings on each profile

• Create custom profiles

• Apply both default and custom profiles to each respective policy

Review and configure DoS zone protection profiles and understand the use cases.

   •  Configure DoS protection profiles

   •  Configure DoS zone protection policies

   •  Review the zone protection profile configuration

A general overview of HA environments in Palo Alto firewalls.

   •  Active/Standby overview

   •  Active/Active overview

   •  Virtual IP overview

Enable redundancy on the PA environment with Active/ Standby HA configuration.

   •  Enable the HA interfaces

   •  Enable Active/Standby with HA Interface configurations

In this video, we will execute failover test.

   •  Configure HA interfaces

   •  Configure zones: Both, outside and inside

   •  Confirm HA is active and execute failover test

Here, we shall enable redundancy and load balancing, and maximize capacity on the PA environment with Active/Active HA configuration.

   •  Configure unique Zone IPs

   •  Configure virtual IPs and enable Active/Active HA

   •  Confirm HA is active and execute failover test

Enable Active/Active traffic load balancing with virtual IPs and failover traffic with floating IPs.

   •  Configure ARP load sharing with virtual IPs

   •  Configure floating IPs

   •  Test virtual IP reachability and failover services

Leverage hardware resources, limit complexity, and maintenance by enabling virtual systems.

   •  Enable virtual systems (vsys) under device

   •  Create virtual systems

   •  Allocate dedicated interfaces and virtual routers to the vsys

A general overview of IPSec tunneling options and GlobalProtect.

   •  Review the IPSec site to site tunnel modes

   •  Review the GlobalProtect gateway and portal

   •  Understand the cases where we can apply either of the solutions

Enable a site-to-site IPSec tunnel in tunnel (proxy) mode and send traffic between the distant networks.

   •  Configure all prerequisites for our IPSec tunnel

   •  Configure the IPSec tunnel along with security policies

   •  Enable the tunnel and test traffic flow and reachability

Convert the IPSec tunnel into an interface mode, by configuring L3 tunnel interfaces.

   •  Configure the tunnel interfaces in L3 and allocate IPs

   •  Enable dynamic routing (OSPF) and advertise distant networks

   •  Confirm traffic reachability to the advertised networks

Enable the GlobalProtect portal and assign access groups.

   •  Configure the VPN users and users’ groups

   •  Configure the GlobalProtect portal on the outside interface

   •  Test reachability of the GlobalProtect portal and download GlobalProtect agent

Enable secure remote access to your external users by configuring a GlobalProtect gateway for VPN services.

   •  Create a GlobalProtect VPN security zone and tunnel interface

   •  Create a GlobalProtect gateway and configure the agent

   •  Configure the GlobalProtect portal agent for external gateway access

Detailed PAN-OS upgrade procedure demonstration. Base PAN-OS and Maintenance PAN-OS versions.

• Discuss upgrade paths

• Perform maintenance version upgrades

• Perform base version upgrade

This will give the firewall configuration management overview and also configuration backup, restore, reverts, and audits.

• Perform running and candidate configuration audits

• Perform configuration backup and snapshot

• Perform configuration reverts and restores

Perform emergency recovery procedures and troubleshooting with the maintenance recovery tool.

• Boot the Palo Alto firewall, during boot enter “maint” when prompted

• Restore from factory once in the maintenance mode, if needed

• Repair disk partition corruption, if needed, using the recovery tool

We shall administer multiple geographically dispersed Palo Alto firewalls using Panorama.

• Add devices to Panorama

• Configure device groups in Panorama and add respective devices

• Configure shared policies for all device groups or configure policies per device group